Closed jedisct1 closed 11 months ago
Yes, that makes sense. I think it could go there. We haven't mentioned that different associated data affects the ciphertext for the standard variants either have we? Perhaps we could mention both in one paragraph.
We haven't mentioned that different associated data affects the ciphertext for the standard variants either have we?
We haven't, but if we do, we should be cautious and set the preconditions for that to hold true. It can be a little bit complicated and confusing.
The AD and the message are absorbed the same way.
Which implies that Enc(ad=AA...ABB...B, msg=CC...CDD...D)
produces the same ciphertext as Enc(ad=AA...A, msg=BB...BCC...CDD....D)
for DD....D
.
It's not clear that the parallelism degree affects not only performance, but also the output.
We should mention somewhere that for a given
(key,nonce,ad,msg)
, different parallelism degrees can produce different authentication tags.If #14 is merged, we should extend that to the ciphertexts.
What would be the best place for that? In the security considerations?